Ballot-Marking Devices (BMDs) Cannot Assure the Will of the Voters

28 Pages Posted: 21 May 2019 Last revised: 4 Jan 2020

See all articles by Andrew Appel

Andrew Appel

Princeton University

Richard DeMillo

Georgia Institute of Technology

Philip B. Stark

University of California, Berkeley

Date Written: April 21, 2019


Computers, including all modern voting systems, can be hacked and misprogrammed. The scale and complexity of U.S. elections may require the use of computers to count ballots, but election integrity requires a paper-ballot voting system in which, regardless of how they are initially counted, ballots can be re- counted by hand to check whether election outcomes have been altered by buggy or hacked software. Furthermore, secure voting systems must be able to recover from any errors that might have occurred.

However, paper ballots provide no assurance unless they accurately record the vote as the voter expresses it. Voters can express their intent by hand-marking a ballot with a pen, or using a computer called a ballot-marking device (BMD), which generally has a touchscreen and assistive interfaces. Voters can make mistakes in expressing their intent in either technology, but only the BMD is also subject to systematic error from computer hacking or bugs in the process of recording the vote on paper, after the voter has expressed it. A hacked BMD can print a vote on the paper ballot that differs from what the voter expressed, or can omit a vote that the voter expressed.

It is not easy to check whether BMD output accurately reflects how one voted in every contest. Research shows that most voters do not review paper ballots printed by BMDs, even when clearly instructed to check for errors. Furthermore, most voters who do review their ballots do not check carefully enough to notice errors that would change how their votes were counted. Finally, voters who detect BMD errors before casting their ballots, can correct only their own ballots, not systematic errors, bugs, or hacking. There is no action that a voter can take to demonstrate to election officials that a BMD altered their expressed votes, and thus no way voters can help deter, detect, contain, and correct computer hacking in elections. That is, not only is it inappropriate to rely on voters to check whether BMDs alter expressed votes, it doesn’t work.

Risk-limiting audits of a trustworthy paper trail can check whether errors in tabulating the votes as recorded altered election outcomes, but there is no way to check whether errors in how BMDs record expressed votes altered election out- comes. The outcomes of elections conducted on current BMDs therefore cannot be confirmed by audits. This paper identifies two properties of voting systems, contestability and defensibility, that are necessary conditions for any audit to con- firm election outcomes. No commercially available EAC-certified BMD is contestable or defensible.

To reduce the risk that computers undetectably alter election results by printing erroneous votes on the official paper audit trail, the use of BMDs should be limited to voters who require assistive technology to vote independently.

Keywords: election security, cyber security, voting systems, voter verification, risk-limiting audits, ballot-marking devices, hand-marked ballots, hacking, contestability. defensibility

Suggested Citation

Appel, Andrew and DeMillo, Richard and Stark, Philip B., Ballot-Marking Devices (BMDs) Cannot Assure the Will of the Voters (April 21, 2019). Available at SSRN: or

Andrew Appel

Princeton University ( email )

35 Olden Street
Princeton, NJ 08540
United States

Richard DeMillo (Contact Author)

Georgia Institute of Technology ( email )

School of Computer Science
Atlanta, GA 30332
United States


Philip B. Stark

University of California, Berkeley ( email )

Department of Statistics
Berkeley, CA 94720
United States
510-642-2781 (Phone)

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics